Difference between revisions of "Mesh/Server security"
(Created page with "This document attempts to outline some of the steps that have been taken to enhance the security of sudomesh servers. = Automatic updates = We only ever install the debian/u...") |
|||
Line 7: | Line 7: | ||
aptitude update && aptitude safe-upgrade | aptitude update && aptitude safe-upgrade | ||
= cron-apt = | We use one of the following methods to set up automatic security upgrades. | ||
= unattended-upgrades method = | |||
Install and configure the unattended-upgrades package. | |||
aptitude update && aptitude install unattended-upgrades | |||
dpkg-reconfigure -plow unattended-upgrades | |||
Edit the file /etc/apt/apt.conf.d/50unattended-upgrades and make sure it contains a section like this: | |||
Unattended-Upgrade::Allowed-Origins { | |||
"${distro_id}:${distro_codename}-security"; | |||
// "${distro_id}:${distro_codename}-updates"; | |||
// "${distro_id}:${distro_codename}-proposed"; | |||
// "${distro_id}:${distro_codename}-backports"; | |||
}; | |||
= cron-apt method = | |||
cron-apt is installed and set up to automatically download and install security updates once every 24 hours. | cron-apt is installed and set up to automatically download and install security updates once every 24 hours. |
Revision as of 12:34, 9 April 2014
This document attempts to outline some of the steps that have been taken to enhance the security of sudomesh servers.
Automatic updates
We only ever install the debian/ubuntu repository versions of software unless the software is not available through these repositories. This goes for stuff like wordpress and mediawiki as well. This ensures that security updates can be installed with a simple:
aptitude update && aptitude safe-upgrade
We use one of the following methods to set up automatic security upgrades.
unattended-upgrades method
Install and configure the unattended-upgrades package.
aptitude update && aptitude install unattended-upgrades dpkg-reconfigure -plow unattended-upgrades
Edit the file /etc/apt/apt.conf.d/50unattended-upgrades and make sure it contains a section like this:
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; // "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; };
cron-apt method
cron-apt is installed and set up to automatically download and install security updates once every 24 hours.
cron-apt is installed:
aptitude install cron-apt
then it is disabled in cron.d since we want to use anacron instead:
rm /etc/cron.d/cron-apt
and setup to run daily via anacron:
cd /etc/cron.daily ln -s /usr/sbin/cron-apt
The following line is added to /etc/cron-apt/config to make it use aptitude instead of apt-get:
APTCOMMAND=/usr/bin/aptitude
Per default, cron-apt only downloads updates and doesn't install them. We remove the download action:
cd /etc/cron-apt/action.d rm 3-download
Then we add the file 5-safe-upgrade containing the following line:
safe-upgrade -y quiet=2